Versions Compared

Old Version 11

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
This is a walkthrough of
Image Added

📙 You will learn

How to install and run the ThreadFix Plugin for Burp Suite.

First Steps

Prerequisites

Audience: IT Professional, or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: Burp Suite Application, Burp Suite Plugin

Burp Suite Application and Plugin Downloads

  1. Download the latest build of Burp Suite application

from

  1. from http://portswigger.net/burp/

  2. Install and launch the Burp Suite application.

  3. In ThreadFix, click the Help icon and select Download Tools.

    Image Added

     

  4. Download the Burp Plugin from the Download Tools page in ThreadFix.

Image Added

Install ThreadFix Plugin

Image Removed

Go to Extender tab > Add > choose

From the Extender tab, within the Extensions sub-tab click the Add button.

 

Image Added

From the Load Burp Extensions modal, in the Extension file (.jar) field, select the threadfix-release-2-burp.jar

Image Removed file downloaded from the ThreadFix Download Tools page.

Image Added

A new ThreadFix Main tab will be presented with three buttons:

  • ThreadFix > Main > Import

    Import Endpoints From Source

  • ThreadFix > Main >

    Import Endpoints From ThreadFix

  • ThreadFix > Main >

    Export Scan

Image RemovedImage Added

Import Endpoints

Please ensure that the following are set up correctly in ThreadFix before continuing.

  • A Team with an Application is setup

  • The Application is linked to its source code

  • You've created an

    An API key has been created and

    it

    is accessible

  1. Choose

    From the

    Threadfix

    ThreadFix Main tab

    , then

    click the desired 'Import Endpoints...' button.

    1. Import Endpoints From Source

      Image RemovedImage Added

    2. Import Endpoints From ThreadFix.

      1. From the ThreadFix

        >

        Options tab, enter the ThreadFix URL & API Key, the ThreadFix application from which

        you want

        to get endpoints, and the Target URL.

        NoteYou should add

        • Add "/rest/latest" to the end of the ThreadFix URL in order for Burp to connect using the latest version of the API

        .

        • If

        you're

        • running ThreadFix over HTTPS,

        you

        • it may

        need

        • be necessary to import the ThreadFix server's certificate into Burp's trust store (<burp-install>/jre/lib/security)

        .

        Image Removed
        • Image Added

      2. Then, from the ThreadFix

        >

        Main tab, click Import Endpoints From ThreadFix.

Run Spider

  1. Burp will import endpoints from the source code.

  2. Begin the spider by choosing Spider from the Target tab.

  3. Burp will then begin scanning and will show its progress.

    Image RemovedImage Added

     

  4. Once the scan is complete

    you will be able to export

    , this scan can be exported to ThreadFix.

Export Scan

  1. Select the ThreadFix

    >

    Main

    > Export Scan

    tab and click the Export Scan button.

  2. Enter the correct URL and API key.

  3. Choose the application for which

    you want to

    to export a scan to

    Threadfix

    ThreadFix.

    Image RemovedImage Added

  4. A

    pop up should be displayed informing you that the export was successful
    Image Removed

    message will display informing the export succeeded.

    Image Added

     

  5. Check ThreadFix to verify that the scan was uploaded.

    Image Removed
Image Added

Import ThreadFix Server Certificate

Burp comes packaged with it's own JRE, which is used when you run running the exe program. If you need Users needing to import the ThreadFix server's cert certificate, in order to connect to it, should import it to <Burp Install>/jre/lib/security/cacerts.

Example command:

keytool -importcert -file /path/to/mythreadfix.cer -keystore /<burp path>/jre/lib/security/cacerts -alias tfcert

 

Note : Your the ThreadFix cert certificate should have a SubjectAlternativeName, or you there may have trouble establishing a connection. . It It should have at least have the server's DNS name, plus its IP as a backup.For info on how to obtain the ThreadFix server's certificate, click here.

Table of Contents